b'U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n                  PUBLIC\n                 RELEASE\n\n\nPATENT AND TRADEMARK OFFICE\n\n        Year 2000 Business Continuity and\n   Contingency Plan Is Comprehensive, but\n      Additional Risk Mitigation Is Needed\n      Inspection Report No. OSE-11693-02 / December 1999\n\n\n\n\n                              Office of Systems Evaluation\n\x0cDecember 22, 1999\n\n\nMEMORANDUM FOR:               Q. Todd Dickinson\n                              Assistant Secretary of Commerce\n                               and Commissioner of Patents and Trademarks\n\n\nFROM:                         Johnnie E. Frazier\n\nSUBJECT:                      Final Inspection Report, Year 2000 Business Continuity and\n                              Contingency Plan Is Comprehensive, but Additional Risk\n                              Mitigation Is Needed (OSE-11693-02)\n\n\nThis is the second of two reports on the Office of Inspector General\xe2\x80\x99s review of the Patent and\nTrademark Office\xe2\x80\x99s Year 2000 (Y2K) readiness efforts. The first report, PTO\xe2\x80\x99s Year 2000\nRenovations and Test Program Are Effective but Agency Should Freeze Changes and Verify\nInventory (OSE-11693-01), September 1999, addressed PTO\xe2\x80\x99s renovation, replacement and\ntesting of selected critical systems.\n\nThis report examines PTO\xe2\x80\x99s business continuity and contingency plan (BCCP). BCCPs are used\nby government agencies to reduce the risk of Y2K business failures. We found that in general,\nPTO has prepared a comprehensive Y2K BCCP. However, the plan needs several important\nadditional elements to ensure continuity of operations and services if Y2K problems arise. The\nagency should establish and document minimum acceptable levels of outputs and services and\nshould plan for the procurement of specific BCCP resources. Also, BCCP test plans need to be\nfurther developed, test teams established, and business process tests executed to validate\ncontingency plans. In addition, PTO needs to develop risk mitigation procedures for high-risk\nperiods and obtain a legal review of its BCCP.\n\nIn its response to our draft report, PTO concurred with all of our recommendations. The\nrecommendations, a synopsis of PTO\xe2\x80\x99s response to each recommendation, and our discussion of\nPTO\xe2\x80\x99s response begin on page 7. The response in its entirety is included as Appendix A.\n\nWe appreciate the cooperation of PTO staff during the review.\n\nBACKGROUND\n\nPatent and trademark processing was identified by the National Performance Review as being a\n\xe2\x80\x9chigh impact\xe2\x80\x9d federal program based on the public\xe2\x80\x99s reliance on these functions. Some of the\ncomputer systems PTO uses to process patent and trademark applications were originally\n\x0cU. S. Department of Commerce                                           Inspection Report OSE-11693-02\nOffice of Inspector General                                                         December 1999\n\nprogrammed using the last two digits of year dates (rather than all four digits). Two-digit year\ndates will cause inaccurate computations associated with Y2K because the computers cannot\ndistinguish between the years 1900 and 2000. If systems are not Y2K compliant, services crucial\nto intellectual property protection could be jeopardized.\n\nEven though agencies such as PTO have undertaken large-scale efforts to make their systems\nY2K compliant, there remains a risk that one or more mission-critical systems will fail and\nseverely affect the agency\xe2\x80\x99s ability to deliver critical services. Because of this risk, agencies must\nhave BCCPs. The BCCP process focuses on reducing the risk of Y2K-induced failures. It\nsafeguards an agency\xe2\x80\x99s ability to produce a minimum acceptable level of outputs and services in\nthe event of failures of internal or external mission-critical information systems and services. It\nalso links risk management and mitigation efforts to the agency\xe2\x80\x99s Y2K program and helps to\nidentify alternative resources and processes needed to operate the agency\xe2\x80\x99s core business\nprocesses.\n\nThe General Accounting Office (GAO) published several guidelines to aid federal agencies in\npreparing for the year 2000 century change. According to GAO, a well-structured BCCP\nprogram includes the following four phases and supporting key processes:\n\nl      Initiating a BCCP - Establish a business project work group, and develop a high-level\n       business continuity planning strategy. Develop a master schedule and milestones, and\n       obtain executive support.\n\nl      Analyzing Business Impacts - Assess the potential impact of mission-critical system\n       failures on the agency\xe2\x80\x99s core business processes. Define Y2K failure scenarios, and\n       perform risk and impact analyses of each core business process. Assess infrastructure\n       risk, and define the minimum acceptable levels of outputs for each core business process.\n\nl      Contingency Planning - Identify and document contingency plans and implementation\n       modes. Define triggers for activating contingency plans, and establish a business\n       resumption team for each core business process.\n\nl      Testing - Validate the agency\xe2\x80\x99s business continuity strategy. Develop and document\n       contingency test plans. Prepare and execute tests. Update disaster recovery plans and\n       procedures.\n\nPTO developed an enterprise (agency) level BCCP that identifies broad areas of risk and general\nmitigation strategies and contingencies. The enterprise level BCCP is supported by detailed\nBCCPs. The detailed BCCPs were developed by representatives from PTO\xe2\x80\x99s five major business\ncomponents: Policy, Patents, Trademarks, Information Dissemination, and Corporate Support.\n\n\n                                                  2\n\x0cU. S. Department of Commerce                                        Inspection Report OSE-11693-02\nOffice of Inspector General                                                      December 1999\n\nPURPOSE AND SCOPE OF INSPECTION\n\nThe purpose of our review was to reduce the risk of business interruption due to the year 2000\ncentury change by assessing actions taken by PTO and recommending practical risk mitigation\nand contingency planning activities. In our previous report, we examined a sample of PTO\xe2\x80\x99s\nmission-critical systems to determine the extent of PTO\xe2\x80\x99s renovation, replacement, and testing\nfor Y2K preparedness. The focus of this report is the enterprise-level BCCP, the detailed Patents\nBCCP, and the detailed Trademarks BCCP. We evaluated PTO\xe2\x80\x99s initiation of a BCCP program\nand its business impact analyses, contingency planning, and business process testing.\n\nThe fieldwork supporting our prior report and this report was conducted at PTO between April\nand August 1999. Our exit conference with PTO officials was held on August 23. Issuance of\nthis report was delayed by issuance of our first PTO Y2K report and other ongoing Y2K\nevaluations elsewhere in the Department.\n\nThe observations, conclusions, and recommendations in this report are based on PTO\xe2\x80\x99s draft\nenterprise-level BCCP, version 1.26, issued January 1999, and version 2.0, issued June 1999,\nalong with supporting detailed BCCPs for both versions. System contingency plans were\nreviewed during our earlier evaluation of PTO systems for Y2K readiness.\n\nPTO issued version 4.0 of its BCCP in October. We reviewed the revised BCCP to determine\nwhether the changes made negated any of our recommendations. We found that some\nimprovements had been made to the BCCP. For example, the detailed Patents plan now\nidentifies the procurement instruments PTO will employ to acquire goods and services needed to\nactivate its BCCP. However, the plan still does not identify sources or schedules for acquiring\ngoods and services. Therefore, the conclusions reached after reviewing the first two versions of\nPTO\xe2\x80\x99s BCCP have not changed.\n\nOur criteria were derived primarily from GAO\xe2\x80\x99s Year 2000 Computing Crisis: Business\nContinuity and Contingency Planning, August 1998, and Y2K Computing Challenge: Day One\nPlanning and Operations Guide, October 1999. The GAO guidance has been accepted by the\nOffice of Management and Budget, the Chief Information Officers Council, and the Department.\nOur methodology included evaluating PTO\xe2\x80\x99s BCCP documentation and interviewing staff within\nPTO\xe2\x80\x99s Office of the Chief Information Officer, Office of Patents, and Office of Trademarks.\n\nOur work was performed in accordance with the Inspector General Act of 1978, as amended, and\nthe Quality Standards for Inspections, March 1993, issued by the President\xe2\x80\x99s Council on\nIntegrity and Efficiency.\n\n\n\n\n                                                3\n\x0cU. S. Department of Commerce                                      Inspection Report OSE-11693-02\nOffice of Inspector General                                                    December 1999\n\n\n\nOBSERVATIONS AND CONCLUSIONS\n\nIn general, PTO has prepared a comprehensive BCCP based primarily on alternative manual\nprocesses. However, the plan needs several important additional elements to ensure continuity of\noperations and services if Y2K problems arise. The agency should establish and document\nminimum acceptable levels of outputs and services for core business processes and should plan\nfor the procurement of specific BCCP resources in the event of systems failures. Also, BCCP\ntest plans need to be further developed, test teams established, and business process tests\nexecuted to validate contingency plans, and the plans should be revised, if necessary, based on\nthe test results. In addition, PTO needs to develop risk mitigation procedures for high-risk\nperiods and obtain a legal review.\n\nI. PTO Prepared a Comprehensive Y2K BCCP\n\nPTO\xe2\x80\x99s BCCP is composed of contingency plans from PTO\xe2\x80\x99s five core business areas: Policy,\nPatents, Trademarks, Information Dissemination, and Corporate Support. The plan is based\nprimarily on alternative manual processes for PTO\xe2\x80\x99s core business areas. The descriptions of\nalternative procedures for \xe2\x80\x9cworking around\xe2\x80\x9d any problems are presented in an easy-to-read\nformat that should prove helpful to PTO staff with responsibility for implementing the BCCP. A\nconsistent three-stage outline structure is used: first, risk mitigation; second, the business\ncontinuity approach; and third, the resumption stage. Moreover, the additional resources needed\nto implement the BCCP for each core business process are clearly identified.\n\nPTO established an Executive Committee of senior level managers from all business areas to\noversee the BCCP. The committee\xe2\x80\x99s involvement lends credibility to the BCCP effort by\nproviding coordination across PTO\xe2\x80\x99s five core business areas and the Office of the Chief\nInformation Officer. The committee prioritized the order in which PTO will address system\nfailures based on business needs and established a business resumption team for each business\narea and a technical response team for each critical system.\n\nII. Minimum Acceptable Levels of Outputs and Services Should Be Documented\n\nPTO did not document minimum acceptable levels of outputs and services as part of its BCCP\neffort. For example, the contingency strategies for 18 of the 22 Y2K risks/threats that are\nidentified in Patents\xe2\x80\x99 detailed BCCP use a combination of system fixes and \xe2\x80\x9cmanual\nworkarounds,\xe2\x80\x9d but do not mention any service level standards for the contingency plans (for\nexample, the number of hours or days for recovery).\n\nBCCPs should include strategies for meeting minimum acceptable output and service level\nrequirements for each core business process. Output and service levels should include recovery\nand processing times for contingency plans. Without documented minimum acceptable output\n\n                                               4\n\x0cU. S. Department of Commerce                                          Inspection Report OSE-11693-02\nOffice of Inspector General                                                        December 1999\n\nand service level requirements, business resumption team personnel may inadvertently exceed\nminimum recovery times or provide an unacceptable level of service. These deficiencies may\naffect the processing of other critical data and information inside and outside PTO, and it may\nmake it difficult for PTO to make a decision to activate its BCCP.\n\nRather than following any specific guidance or methodology, PTO developed the BCCP based\non knowledge of undefined \xe2\x80\x9cmanual workarounds\xe2\x80\x9d by users in PTO\xe2\x80\x99s five core business areas.\nHowever, the Department requested all bureaus to follow GAO\xe2\x80\x99s guidance in preparing BCCPs,\nwhich requires agencies to define the minimum acceptable level of outputs and services in\nconducting business impact analyses.\n\nIII. Specific Sources and Milestone Dates for Acquisition\n     of BCCP Resources Should Be Identified\n\nPTO\xe2\x80\x99s BCCP contains many references to acquiring goods and services later to support the\nimplementation of the BCCP, such as a storage facility for patent applications and other\ndocuments that need to be retained during a Y2K disruption and additional staffing to photocopy\nincoming checks for patent application fees. However, specific sources and milestone dates for\nthe procurement of these goods and services are not identified. In addition, potential Y2K\nfailures may create a significant demand for vendor resources that might not be available unless\nPTO plans for the acquisition of these resources ahead of time.\n\nIV. Test Plans Need to Be Further Developed, Test Teams Established,\n    and Tests Executed to Validate Contingency Plans\n\nPTO\xe2\x80\x99s BCCP includes a test plan, but the plan lacks the following components: a testing\nschedule, establishment of test teams, rehearsals for the business resumption teams, and plans for\ntest validation. The plan does not document that any tests have been conducted or are scheduled\nby either the Patents or the Trademarks business area.\n\nThe Executive Committee is responsible for triggering the BCCP, while the business resumption\nteams are responsible for managing the implementation of the BCCP. The test plan contains no\nreferences to joint rehearsals by the Executive Committee and the business resumption teams.\nNor does it refer to establishing test teams or validating the test plan. Further, the plan does not\ndiscuss capturing \xe2\x80\x9clessons learned\xe2\x80\x9d or updating the BCCP in the event that tested contingency\nplans do not meet minimum acceptable service levels.\n\nThe objective of testing is to evaluate whether contingencies provide the desired level of service\nto customers and can be implemented within a specified time. PTO needs to improve BCCP test\nplans to ensure that tests will accurately demonstrate alternative levels of support to PTO\xe2\x80\x99s core\n\n                                                  5\n\x0cU. S. Department of Commerce                                          Inspection Report OSE-11693-02\nOffice of Inspector General                                                        December 1999\n\nbusiness processes. More detailed guidance is needed for documenting and executing BCCP\ntesting procedures.\n\nBecause no test teams have been established to validate contingency plans, PTO cannot evaluate\nthe BCCP\xe2\x80\x99s capability to meet minimum acceptable levels of outputs and services. Without\ndefined procedures that identify specific test tasks, conditions, and standards, test teams may find\nit difficult to conduct effective, consistent BCCP tests. Without plans to rehearse the business\nresumption teams, it may be difficult to assure PTO managers that the teams are capable of\nimplementing the BCCP.\n\nWithout plans to update the BCCP based on the validation of test results and lessons learned,\nPTO may not benefit from any improvements identified during testing. BCCP tests may reveal\nthat errors and inaccuracies exist, which, unless corrected, might hinder BCCP implementation\nby business resumption teams during a potential Y2K crisis.\n\nPTO believes that its Y2K systems remediation, replacement, and testing have sufficiently\nreduced its risk of Y2K-induced disruptions to core business processes. In our discussions with\nbusiness core teams, representatives from Patents accepted the need for testing, whereas the\nTrademarks representatives were reluctant to do so. Trademarks was confident that its staff will\nknow how to operate the Y2K BCCP alternative manual processes, although its detailed BCCP\noffers little explanation of \xe2\x80\x9cmanual workarounds.\xe2\x80\x9d\n\nV. Risk Mitigation Procedures Need to Be Developed for High-Risk Periods\n\nPTO as a whole has not sufficiently reduced its exposure to business risks during high-risk\nperiods. All risks/threats in the PTO BCCP focus on only one date, January 1, 2000. PTO has\nnot developed procedures for reducing risk to critical business processes for the days surrounding\nthe century change. PTO\xe2\x80\x99s BCCP does not document plans and procedures for the period\nbetween Thursday, December 30, 1999, and Tuesday, January 4, 2000. Plans for this period are\nreferred to as \xe2\x80\x9czero day\xe2\x80\x9d or \xe2\x80\x9cDay One\xe2\x80\x9d plans.\n\nWe discussed the need for such plans during interviews with PTO personnel. The Patents and\nTrademarks BCCP teams indicated that they would identify business processes that could be\nexecuted early to reduce risks at critical periods (for example, Patents could provide data to the\nGovernment Printing Office for publication before December 31; Trademarks could similarly\narrange for advanced scheduling of Trademark searches).\n\nAgencies should develop a comprehensive set of actions to be executed during the last days of\n1999 and the first days of 2000. These actions must be integrated with agency BCCPs and\nshould describe the key activities and responsibilities of agency component organizations and\nstaff. The objectives of a \xe2\x80\x9czero day\xe2\x80\x9d plan are to (1) position an organization to readily identify\n\n                                                 6\n\x0cU. S. Department of Commerce                                         Inspection Report OSE-11693-02\nOffice of Inspector General                                                       December 1999\n\nY2K-induced problems, take needed corrective actions, and minimize adverse impact on agency\noperations and key business processes, and (2) provide information about an organization\xe2\x80\x99s Y2K\ncondition to executive management, business partners, and the public.\n\nThe GAO guidance urges organizations to \xe2\x80\x9cconsider the possibility that Year 2000 date problems\nmay be encountered earlier than expected.\xe2\x80\x9d Industry experts specializing in Y2K have estimated\nthat only 8 to 10 percent of Y2K-related failures will occur at the end of December 1999 and the\nbeginning of January 2000.\n\nAcknowledged critical Y2K-related dates include:\n\nl      December 31, 1999       The last date that some older mainframe-based systems can store.\nl      January 1, 2000         The date on which system anomalies and possible shutdowns may\n                               occur in non-remediated systems that could affect other dependent\n                               systems and organizations.\nl      February 29, 2000       The first leap year date in the new millennium.\nl      October 10, 2000        The first time the date field uses its maximum length (10/10/2000).\nl      December 31, 2000       The 366th day of leap year, which may not be recognized by\n                               some systems.\n\nAgain, PTO believes that its Y2K systems remediation, replacement, and testing have sufficiently\nreduced its Y2K risk.\n\nVI. The BCCP Should Be Reviewed for Potential Legal Issues\n\nPTO has not documented any legal involvement or review of its BCCP to identify potential legal\nshortcomings. Some of the areas with potential impacts include human resource management\npolicies and labor/management relation issues (for example, overtime, holiday schedules, and\ngranting of leave during critical Y2K high-risk periods). GAO guidance states that \xe2\x80\x9cAccess to\nlegal advice is a necessity.\xe2\x80\x9d The issue was discussed during interviews with PTO personnel, who\nindicated that they were considering legal review.\n\nRECOMMENDATIONS\n\nTo ensure the continuity of core business processes in the event of system failures at the turn of\nthe century, we recommend that the Assistant Secretary of Commerce and Commissioner of\nPatents and Trademarks direct PTO staff to take the following actions:\n\n1.     Update the BCCP to include minimum acceptable levels of outputs and services for each\n       core business process.\n\n\n                                                 7\n\x0cU. S. Department of Commerce                                         Inspection Report OSE-11693-02\nOffice of Inspector General                                                       December 1999\n\n               Synopsis of PTO\xe2\x80\x99s Response\n\n               PTO concurs with this recommendation and has requested each business area to\n               identify minimum levels of outputs and services. PTO has received some\n               responses to this request and expects to update the BCCP with this information\n               prior to the rollover period.\n\n               OIG Discussion\n\n               PTO\xe2\x80\x99s action is responsive to the recommendation.\n\n2.     Immediately request PTO\xe2\x80\x99s procurement office to proactively identify specific sources of\n       good and services needed to implement the BCCP and establish an acquisition timetable.\n\n               Synopsis of PTO\xe2\x80\x99s Response\n\n               PTO concurs with this recommendation and has asked each business area to\n               identify specific needs, sources, and timetables. PTO has received some\n               responses from the business areas and expects to update the BCCP accordingly.\n\n               OIG Discussion\n\n               PTO\xe2\x80\x99s action is responsive to the recommendation.\n\n3.     Test and validate the BCCPs, and commit resources to:\n\n       a.      Verify that test plans include a testing schedule.\n\n       b.      Establish test teams and assign responsibilities.\n\n       c.      Conduct business resumption team rehearsals.\n\n       d.      Develop plans to validate BCCP tests, review test results to evaluate the capability\n               of contingency plans against performance criteria, and update the BCCP based on\n               this validation if necessary.\n\n               Synopsis of PTO\xe2\x80\x99s Response\n\n               PTO concurs with this recommendation and has carried out substantial testing of\n               the BCCP, including both tabletop and actual testing/rehearsals. PTO provided\n               documentation of these tests to Commerce\xe2\x80\x99s Chief Information Officer on\n\n                                                 8\n\x0cU. S. Department of Commerce                                         Inspection Report OSE-11693-02\nOffice of Inspector General                                                       December 1999\n\n               October 20, 1999.\n\n               OIG Discussion\n\n               PTO\xe2\x80\x99s action is responsive to the recommendation.\n\n4.     At a minimum, have each business area develop a \xe2\x80\x9czero day\xe2\x80\x9d plan to reduce its exposure\n       to business risks during the high-risk period, December 30, 1999, to January 4, 2000.\n       Additionally, consider extending PTO\xe2\x80\x99s zero day plans to other high-risk dates.\n\n               Synopsis of PTO\xe2\x80\x99s Response\n\n               PTO concurs with this recommendation and has established a \xe2\x80\x9cDay One\n               Schedule\xe2\x80\x9d plan that covers all business areas and critical systems. PTO has also\n               established \xe2\x80\x9ccall in\xe2\x80\x9d lists of employees identified as necessary to implement the\n               BCCP should it be necessary to trigger the plan. PTO plans to modify the BCCP\n               and adopt it for other high-risk dates and other non-Y2K potential disruptions\n               following the turn of the century.\n\n               OIG Discussion\n\n               PTO\xe2\x80\x99s action is responsive to the recommendation.\n\n5.     Request and document the appropriate legal review of the BCCP.\n\n               Synopsis of PTO\xe2\x80\x99s Response\n\n               PTO concurred with this recommendation and requested a legal review of the\n               BCCP and received an opinion from the Office of the Solicitor on October 14,\n               1999. According to the Office of the Solicitor, the plan does not appear to be\n               \xe2\x80\x9ccontrary to either the Patent Statutes, 35 U.S.C., or the Trademark Statutes, 15\n               U.S.C.\xe2\x80\x9d\n\n               OIG Discussion\n\n               PTO\xe2\x80\x99s action is responsive to the recommendation.\n\n\n\n\n                                                9\n\x0c\x0c\x0c'